Ironport WSA - Active Directoy Agent

James.Longman · ‎11-05-2012

Hi All,

It's been a little while since I deployed a WSA and I see a new tool, the Active Directoy Agent. I understand from the docs it's used to get usernames from AD for the current logged on user when using NTLM authentication for transparent auth.

My question is why?!

When I last set up a WSA with NTLM for transparent auth we didn't have to use the Agent. NTLM revealed the username as part of what it does and we could use that to bind sessions with access policies, etc.

Yet the docs say:

"Create an NTLM authentication realm and enable transparent user identification.

In addition, you must deploy a separate utility called the Cisco Active Directory Agent (AD Agent). "

So, why is that? What does the agent get me that I didn't use to get? Do I really have to use it?

Thanks all!

Ken Stieers · ‎11-05-2012

James,

No you don't have to use it. It makes a few things work better, namely internet apps that do not support authentication can be authenticated before the app starts using AD. We have a couple of apps that without the ADAgent, the user has to hit an external web page first, then the app will work. Also if you're running windows, but the browser of choice can't do AD integrated auth, this would address the issue..

The ADAgent is the same app as used for the ASA "Identity Firewall" features, you can use the same install...

Ken

James.Longman · ‎11-07-2012

Thanks dude, much appreciated. Seems to be a forum fault and I can't mark this as answered will try again soon.